Government Technology Insider
  • About
  • State & Local
  • Civilian
  • Defense & IC
SUBSCRIBE
No Result
View All Result
  • Acquisition
  • AI & Data
  • Cybersecurity
  • CX
  • Digital Transformation
  • Hybrid Work
    • Work Smarter
  • Public Safety
  • Resources
    • Innovation and Technology to Advance Government
    • World of Work
    • Your Digital Transformation Path Starts Here
    • The Frontlines of Customer Experience
    • Innovative Solutions for Connecting Agencies
    • Be Ready For What’s Next
Government Technology Insider
  • Acquisition
  • AI & Data
  • Cybersecurity
  • CX
  • Digital Transformation
  • Hybrid Work
    • Work Smarter
  • Public Safety
  • Resources
    • Innovation and Technology to Advance Government
    • World of Work
    • Your Digital Transformation Path Starts Here
    • The Frontlines of Customer Experience
    • Innovative Solutions for Connecting Agencies
    • Be Ready For What’s Next
No Result
View All Result
Government Technology Insider
No Result
View All Result
Home Civilian

Software Application Security Becomes the Next Cyber Challenge for Federal Agencies

by Ryan Schradin
May 26, 2021
in Civilian, Cybersecurity, Defense & IC, DevSecOps, Digital Transformation
Reading Time: 9 mins read
A A
Software
Share on FacebookShare on Twitter

The federal government faces an endless list of cybersecurity threats, but as agencies continue their digital transformation journeys these threats are only going to increase. One of the most significant new targets for nation-state hackers is software application. Today, both civilian and military agencies are embracing software applications that make their workforce more effective, automate repetitive or low-value tasks and identify valuable, actionable insights from their mountains of data.

While these applications bring great efficiencies, those efficiencies can come at quite a price. According to Gartner, “Over 70 percent of security vulnerabilities exist at the application layer, not the network layer.” The National Institute of Standards and Technology (NIST) thinks the problem is even more significant, claiming that “92 percent of reported vulnerabilities are in applications not in networks.”

It’s clear that application vulnerabilities are among the largest, most exploited vulnerabilities that hackers use to compromise and breach organizations. With applications becoming more prevalent and relied upon, the need to focus on application security becomes absolutely essential.

But what many people don’t realize is that application security – or AppSec for short – is becoming more complex and complicated as a result of how we design, develop, and deploy software. The processes, systems, and technologies being leveraged to develop modern software are creating new vulnerabilities that some organizations either don’t know about or are unprepared to defend against.

On May 20, 2021, ICIT will be hosting a panel of experts to discuss two foundational components to modern software development and deployment – APIs and Infrastructure as Code (IaC) – respective security concerns with each, and best practices for implementing them in a secure manner.

Speakers include:

• Nicolas M. Chaillan – Chief Software Officer and Co-Lead for the DoD Enterprise DevSecOps Initiative, U.S. Air Force

• Carrie Lee – Senior Technical Advisor U.S. Department of Veterans Affairs (former Director of Digital Transformation Security)

• Elizabeth Schweinsberg- Digital Services Expert at US Digital Service, HHS Team (former Cybersecurity and Incident Response at Facebook and Google)

• Chris Hughes – Cloud Security Leader, Cybersecurity Professor, Board Advisor, DevSecOps Advocate, Principal Cyber Security Engineer Rise8

• Nick Sinai (Moderator) – Senior Advisor, Insight Partners, Harvard Kennedy School, Obama White House (former US Deputy CTO)

Watch Replay of Webinar Here

In advance of that Webinar, we sat down with Rusty Sides, Michael Deck, and Tom Corey of Checkmarx to get a better understanding of these new AppSec priorities and how they can leave government agencies and military organizations vulnerable to hackers and adversaries.

Here is what they had to share: 

Government Technology Insider (GTI): For our readers that may not be aware, can you define what infrastructure as code (IaC) is? How is it different from traditional infrastructure hardware? What drove the change from traditional infrastructure to IaC?

Tom Corey: IaC is essentially a way to automate the deployment of the infrastructure that runs and houses software and applications in cloud environments. Traditionally, this was done onsite with hardware – bare-metal devices that lived in on-premises data centers. However, with the rise of the cloud, this has shifted to code, which enables the streamlining of the infrastructure provisioning and configuring process.

Rusty Sides: That’s exactly right. Traditionally, setting up your own infrastructure and network meant physically interacting with devices on-premises. As the cloud became more popular, as developers began to develop their applications in the cloud, and as development teams have shifted their approach to DevOps, this changed.

Today, resources from the large cloud players – companies like AWS, Google, and Azure – and other hybrid cloud solutions are the preferred infrastructure for developing and deploying applications. And, to provision and configure these resources, developers and development teams utilize a repeatable script instead of physically interacting with hardware.

The tools and solutions that provision these resources, like the open source software provisioning, configuration management, and application-deployment tool, Ansible – function by reaching out and setting up the network and infrastructure. They configure everything, including which ports are being used and for what purpose. They really do automate the entire provisioning and configuration process, which can free up developers to do what they do best.

GTI: What unique security challenges are created by IaC? Would you say that it’s more or less secure than traditional hardware infrastructure?

Rusty Sides: Traditional infrastructure is just as insecure as IaC, but the difference is how we get there, and the automation involved. There is no way to automate the provisioning of physical data center infrastructure and hardware. And, because the operations team is often setting up the same network hardware and infrastructure over and over again, they’re learning what’s secure and how to configure everything to avoid vulnerabilities.

With IaC, it’s an entirely automated process done entirely via software. It’s also highly repeatable, so the development team is likely using the same provisioning and configuration script over and over again. If that provisioning and configuration script is configuring an infrastructure that is filled with vulnerabilities, not only is that infrastructure insecure, but there’s a chance that it’s being used repeatedly both within the team and across the organization.

GTI: Let’s transition and talk about the other new AppSec vulnerability that you’ve referenced – APIs. Can you define APIs? What are they and what role do they play in modern software and applications?

Rusty Sides: Monolithic applications – traditional applications that took years to create because developers were writing each and every line of code for an all-inclusive application – are mostly things of the past.

Today, we have cloud-native applications that are comprised of multiple, different microservices. Microservices are individual parts of an application that do a specific task or job that needs to be done as part of the larger application. For example, in an online retail environment, there may be an application that handles the credit card payment processing and another that checks inventory and begins the fulfillment process.

Application programming interfaces (APIs) are what allows these different applications to talk to each other. APIs enable these microservices to interact and complete the action.

GTI: What security challenges do APIs create for security teams and application developers?

Michael Deck: Because organizations are leveraging more and more APIs to connect these microservices to perform services, it’s creating a new security vector.

In the State of API Security annual report released by SALT, approximately 90 percent of respondents claimed to have experienced an API security incident in the previous year. They also found that 66 percent of respondents delayed the launch of an application due to an API security concern. That’s because APIs have a number of known vulnerabilities.

In fact, in 2019, Open Web Application Security Project (OWASP) released a top ten list of API vulnerabilities that could expose application logic and sensitive data. This project, which was spearheaded by Checkmarx’s Head of Security Research Erez Yalon, includes a number of known software attacks and vulnerabilities, including injection and authentication flaws. This is making APIs an increasingly popular target for malicious actors.

GTI: What can application development teams do about these kinds of new threats?

Tom Corey:
These are new vulnerabilities and new attack vectors, so they need to be treated the same as we treat any other threat. Development teams need to establish workflows around these vulnerabilities, establish standard operating procedures to help mitigate and remediate them, and implement solutions that can help ensure their software and infrastructure are safe.

Rusty Sides: When it comes to IaC, one of the most important things that development teams can do is implement Static Code Analysis of IaC solutions. In fact, Checkmarx has released its own Open Source IaC Static Code Analysis solution that we call Keeping IaC Secure (KICS), which enables developers to quickly and easily find security vulnerabilities, compliance issues, and misconfigurations in IaC tools.

Michael Deck: When it comes to API security, there are two tools that development teams can implement to help them keep their APIs and applications safe. First, there are static analysis tools that analyze where the source code is talking to the API and compare that against known vulnerabilities.

Also important is Interactive Application Security Testing (IAST) which identifies vulnerabilities that arise as the application is running. IAST solutions can look at how that application is using APIs and understand how those microservices are communicating with each other to determine if they’re doing anything malicious or leaving data exposed as they communicate with each other.

GTI: Tell us bout this upcoming event with ICIT. What can attendees expect to learn, and why should they attend?

Tom Corey: This upcoming Webinar is really designed to raise awareness of these two new technologies and the associated security concerns. People are increasingly aware of the role that application vulnerabilities play in enabling cyberattacks and breaches, but they may not know about these two new vectors, in particular, or what to do about them.

We’re partnering with ICIT – which is the preeminent cybersecurity think tank in the nation – to raise awareness, show how IaC and APIs may be leaving organizations vulnerable and show them that there are tools and solutions that they can use to ensure that both their IaC and APIs are secure.

Want to learn more? You can register for the webinar here.

 

The original version of this article was published on GovDevSecOps on April 27, 2021. You can read it here.

 

Tags: APIsApp SecApplication SecurityCheckmarxDevSecOpsSoftware Applications

RELATED POSTS

Agencies Can Improve Speed to Mission with DevSecOps
Digital / IT Modernization

Agencies Can Improve Speed to Mission with DevSecOps

January 18, 2023
What is MaaS?
Beyond Modernization

What is MaaS?

January 9, 2023
Despite the Obstacles the Department of Defense is Embracing Agile Development
Beyond Modernization

Despite the Obstacles the Department of Defense is Embracing Agile Development

December 8, 2022

TRENDING NOW

  • Advana

    Meet Advana: How the Department of Defense Solved its Data Interoperability Challenges

    8514 shares
    Share 3406 Tweet 2129
  • CISA Issues Updated Guidance to Protect Federal Agencies Against Expected Onslaught of DDoS Attacks

    34 shares
    Share 14 Tweet 9
  • Network Slicing Enables Agencies to Create Private, Secure, and Customized Networks: A Podcast

    125 shares
    Share 50 Tweet 31
  • Identifying the Building Blocks for a Successful Zero Trust Journey

    43 shares
    Share 17 Tweet 11

CONNECT WITH US

Advertisement Banner Advertisement Banner Advertisement Banner
Advertisement Banner Ad Advertisement Banner Ad Advertisement Banner Ad
Advertisement Banner Advertisement Banner Advertisement Banner
Advertisement Banner Advertisement Banner Advertisement Banner
Advertisement Banner Ad Advertisement Banner Ad Advertisement Banner Ad
MaaS Nebula Software Factory Banner Ad MaaS Nebula Software Factory Banner Ad MaaS Nebula Software Factory Banner Ad
Advertisement Banner Ad Advertisement Banner Ad Advertisement Banner Ad
Advertisment Banner Ad Advertisment Banner Ad Advertisment Banner Ad
Advertisement Banner Advertisement Banner Advertisement Banner
Advertisement Banner Ad Advertisement Banner Ad Advertisement Banner Ad

BECOME AN INSIDER

Get Government Technology Insider news and updates in your inbox.

Strategic Communications Group is a digital media company that helps business-to-business marketers drive customer demand through content marketing, content syndication, and lead identification.

Related Communities

Financial Technology Today
Future Healthcare Today
Modern Marketing Today
Retail Technology Insider
Today’s Modern Educator

Quick Links

  • Home
  • About
  • Contact Us

Become a Sponsor

Strategic Communications Group offers analytics, content marketing, and lead identification services. Interested?
Contact us!

© 2023 Strategic Communications Group, Inc.
Privacy Policy      |      Terms of Service

No Result
View All Result
  • Home
  • About Government Technology Insider
  • State & Local
  • Civilian
  • Defense & IC
  • Categories
    • Acquisition
    • AI & Data
    • Customer Experience
    • Cybersecurity
    • Digital Transformation
    • Hybrid Work
    • Public Safety
  • Contact Us